Oracle's Quarterly Patch Fixes 36 Java Security Flaws

On Tuesday Oracle issued a Critical Patch Update a (CPU) with new security fixes for 144 vulnerabilities in their products, including 36 fixes for Java Standard Edition 7 (Java SE 7). Thirty-four of the Java vulnerabilities "may be remotely exploitable without authentication." The list of affected Oracle products includes several versions of the Oracle Database and Fusion Middleware, as well as its business applications, Sun Systems products and MySQL.

Oracle announced the update on it's Web site here and strongly advised its customers to apply the fixes as soon as possible.

Oracle issues CPUs on a quarterly basis on the Tuesday closest to the 17th day of January, April, July and October, so the announcement was expected. But the media spotlight was especially hot on this one, because it followed news that Yahoo's advertising servers were distributing malware to hundreds of thousands of users, mostly in Europe -- an exploit enabled by a Java vulnerability. Analysts at Fox-IT, a security firm based in the Netherlands, broke the news on January 3. That exploit affected users between December 27, 2013 and January 3 2014.

The ongoing exploitation of Java -- to be precise, the Java browser plugin -- raises the question: Is Java less secure since Oracle took over?

"I get that question all the time," said Gartner Group analyst Mark Driver. "But I think Oracle has been putting more engineering efforts into securing Java than Sun was doing. The unfortunate fact is, there will never be a moment when we can really say, We've fixed Java. Over time I think it can be made harder and harder to hack. But this is an ongoing game of catch up -- of hack and fix, hack and fix."

His advice to developers: Don't use heavyweight RIAs if you don't have to.

"That wasn't possible in the past, because there were tremendous compromises involved," Driver said. "But with Ajax, and especially HTML5, it's possible to replace a lot of what's happening in Flash, Silverlight r Java. The use of heavyweight RIAs is plummeting and will continue to plummet over the next five years. They'll all but disappear off the Internet in a few years as HTML5 matures."

Oracle wasn't the only big software vendor issuing security patches this week. Adobe released patches for its AIR runtime, Acrobat XI, Reader and Flash Player. And Microsoft released security updates for its Dynamics AX, Office, Server Software, and Windows OS.